07-07-2008 3:46 PM
Hello,
could someone give me more info on the differences between those cookies?
When I get authenticated by the Java Stack, I get the 3 of them but when I logon on the SAP Portal, I only get JESSIONID and sap_lb*.
After configuring SSO for ABAP backend to accept SAP Logon ticket, I tried this test: /bc/bsp/sap/system/sso2test.htm but it doesn't work, I thought that being logged in the SAP Portal in another tab would make this test work but it didn't.
Help would be really appreciated,
Tanguy
07-07-2008 6:14 PM
>
> After configuring SSO for ABAP backend to accept SAP Logon ticket, I tried this test: /bc/bsp/sap/system/sso2test.htm but it doesn't work, I thought that being logged in the SAP Portal in another tab would make this test work but it didn't.
>
By default, every system only trusts himself (i.e. only accepts its own SAP Logon Tickets).
If you want that an ABAP system is accepting the tickets which have been issued by a SAP Portal you need to setup the required trust relationship (see help.sap.com).
[SAP Note 495911|https://service.sap.com/sap/support/notes/495911] provides detailed information on how to analyse logon problems (NWAS ABAP).
07-07-2008 6:10 PM
1. sap_lb cookie*: used by the SAP load-balancer (web dispatcher) to memorize to which server subsequent http requests (of a stateful application) need to be send to
2. JSESSIONID: set by a NWAS Java in response to the first http request (prior to authentication); used to identify a http client
3. MYSAPSSO2: containing the SAP Logon Ticket (session-enabling token) which is created during authentication (after successful validation of the credentials which have been provided by the http client)
07-07-2008 6:14 PM
>
> After configuring SSO for ABAP backend to accept SAP Logon ticket, I tried this test: /bc/bsp/sap/system/sso2test.htm but it doesn't work, I thought that being logged in the SAP Portal in another tab would make this test work but it didn't.
>
By default, every system only trusts himself (i.e. only accepts its own SAP Logon Tickets).
If you want that an ABAP system is accepting the tickets which have been issued by a SAP Portal you need to setup the required trust relationship (see help.sap.com).
[SAP Note 495911|https://service.sap.com/sap/support/notes/495911] provides detailed information on how to analyse logon problems (NWAS ABAP).
07-10-2008 12:07 PM
Hello Janzen,
Thx for your reply, I have one last question:
If a SAP Logon Ticket is issued by a Java Stack Engine with address: enginehost.aaaa.domain.com
to a SAP Backend System configured with SSO with address: sapbackend.bbbb.domain.com
Will this work, or is there a domain suffix problem?
Regards,
Tanguy
07-10-2008 12:11 PM
>
> If a SAP Logon Ticket is issued by a Java Stack Engine with address: enginehost.aaaa.domain.com
>
> to a SAP Backend System configured with SSO with address: sapbackend.bbbb.domain.com
>
> Will this work, or is there a domain suffix problem?
>
The common domain part is .domain.com.
Please notice that there are existing constraints for DNS domains which also effect cookies (using domain contraints) - that's documented in
=> see next post below for rest of answer ...
Edited by: Julius Bussche on Jul 10, 2008 11:20 AM
07-10-2008 12:15 PM
Documented in ?
Thx again, I have to investigate on this because I always get an empty response from the Java Stack after asking a redirection to a SAP backend system with the SAP Logon Ticket in it.
07-10-2008 12:19 PM
>
> If a SAP Logon Ticket is issued by a Java Stack Engine with address: enginehost.aaaa.domain.com
>
> to a SAP Backend System configured with SSO with address: sapbackend.bbbb.domain.com
>
> Will this work, or is there a domain suffix problem?
>
The common domain part is .domain.com.
Please notice that there are existing constraints for DNS domains which also effect cookies (using domain contraints) - that's documented in [SAP Note 654982|https://service.sap.com/sap/support/notes/654982].
The NWAS Java allows to control the desired "domain relaxation" - see [SAP Note 701205|https://service.sap.com/sap/support/notes/701205]: ume.logon.security.relax_domain.level
Regards, Wolfgang
PS: sorry, I've accidentially submitted my previous posting too early ...